Penetration Testing: Re: FAX virus

[cwright () bdosyd com au]

I have though about this for a while following some of the earlier posts. 

Faxing a virus is out of the question and I have not seen anything to state the contrary. I have thought of an 
alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the 
system is sending the output to a web front end or HTTP enabled email (not that uncommon).

There are a few assumptions that I will place first.

 - The system has no input filters and prints all characters to the email, web app.
 - The OCR engine is highly accurate and does not add spaces etc.
 - The email or web app displays exactly what it received

Now given that scenario, we have a possible XSS (cross-site-scripting) attack.

If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client 
browser/email application allows access to the Internet, the attacker could create a script in the page that makes a 
call to an external system to download a file. 

In a simple scenario, an AV server on the proxy level should get this. 

However, a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it 
would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the 
AV server (if there is one) and install the malware on the users system.

So the faxing of the virus is still out of the equation, but it does allow an infection (or other attack) vector.

Regards,
Dr Craig Wright (GSE-Compliance)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------